[openstack-dev] [oslo.utils] allow strutils.mask_password to mask keys dynamically

Matthew Van Dijk mvandijk at tesora.com
Fri Mar 20 15:06:08 UTC 2015

I’ve come across a use case for allowing dynamic keys to be made
secret. The hardcoded list is good for common keys, but there will be
cases where masking a custom value is useful without having to add it
to the hardcoded list.
I propose we add an optional parameter that is a list of secret_keys
whose values will be masked.
There is concern that this will lead to differing levels of security.
But I disagree as either the message will be masked before passing on
or mask_password will be called. In this case the developer should be
aware of the incoming data and manually mask it.
Keeping with a hardcoded list discourages use of the function.

More information about the OpenStack-dev mailing list